If quantum computers are one day able to break Bitcoin’s cryptography, approximately 1 million Bitcoins belonging to Bitcoin network creator Satoshi Nakamoto could be vulnerable to theft.
At the current price of approximately $67,600 per Bitcoin, these collections alone are worth approximately $67.6 billion.
But Satoshi’s coin is only part of the story.
CryptoQuant founder Ki Young Ju recently wrote on X that analysts’ estimates suggest that approximately 6.98 million Bitcoins could be compromised in a sufficiently advanced quantum attack. At current prices, the total amount of Bitcoin currently exposed is approximately $440 billion.
The question that is becoming increasingly common both inside and outside Bitcoin circles is a simple and sometimes controversial one.
Why some coins are exposed
Vulnerabilities are not uniform. In the early days of Bitcoin, payment-to-public-key (P2PK) transactions embedded public keys directly on-chain. Modern addresses typically only reveal the hash of the key until the coin is spent, but once a public key is exposed through early mining or address reuse, the exposure is permanent. In sufficiently advanced quantum scenarios, these keys could theoretically be reversed.
neutrality and intervention
For some, freezing these coins would undermine Bitcoin’s fundamental neutrality.
“Bitcoin is structured to treat all UTXOs equally,” said Bitlease founder Nima Beni. “It does not differentiate based on wallet age, identity, or perceived future threats. This neutrality is fundamental to the protocol’s credibility.”
Even for security reasons, creating exceptions changes the architecture, he said. Once the power to freeze coins for protection exists, it also exists for other reasons.
Georgii Verbitskii, founder of cryptocurrency investor app TYMIO, raised related concerns: The network has no reliable way to determine which coins are missing and which are simply dormant.
“It’s virtually impossible to distinguish between coins that are truly lost and coins that are just dormant,” Verbitskii said. “From a protocol perspective, there’s no reliable way to differentiate.”
For this camp, the solution lies in upgrading cryptography and enabling a voluntary migration to quantum-resistant signatures, rather than rewriting ownership conditions at the protocol level.
Let math decide
Others argue that intervention would violate Bitcoin’s core principle: that private keys control the coin.
Tether CEO Paolo Ardoino said allowing old coins back into circulation, even through a quantum breakthrough, might be better than changing consensus rules.
“Any Bitcoin in a lost wallet, including Satoshi Nakamoto (if he is not alive), will be hacked and put back into circulation,” he continued. “The thinking is that any inflationary impact from lost coins returning to circulation will be temporary and the market will eventually absorb it.”
In this view, “code is law”: if cryptography keeps evolving, coins will move.
Roya Mahboob, CEO and founder of the Digital Citizenship Fund, has taken a similarly tough stance. “No, freezing old Satoshi-era addresses would violate immutability and property rights,” she told CoinDesk. “Even coins from 2009 are protected by the same rules as coins mined today.”
She added that if quantum systems eventually crack the exposed keys, “whoever solves them first should get the coins.”
However, Mahboob said she expects ongoing research by Bitcoin Core developers to drive upgrades to strengthen the protocol before any serious threats emerge.
burning situation
Jameson Lopp said that allowing quantum attackers to sweep up vulnerable tokens would amount to a massive redistribution of wealth to those who first acquire advanced quantum hardware.
In his article “Against Allowing Bitcoin Quantum Recovery,” Lopp refuses to use the word “confiscation” when describing defensive soft forks. “I don’t think ‘forfeiture’ is the most accurate term,” Lopp wrote. “Instead, what we’re really talking about is best described as ‘burning,’ rather than putting money out of everyone’s reach.”
Such a move would likely require a soft fork, rendering fragile outputs unusable unless migrated to upgraded quantum-resistant addresses before the deadline—a change that would require broad social consensus.
He added that allowing quantum recovery would reward technological superiority rather than productive participation in the network. “Quantum miners do not conduct any transactions,” Lopp wrote. “They are vampires who feed on the system.”
How close is the threat?
While the philosophical debate intensifies, the technical timeline remains controversial.
Zeynep Koruturk, managing partner at Firgun Ventures, said the quantum community was “shocked” by recent research showing that the number of physical qubits needed to crack widely used encryption systems such as RSA-2048 is smaller than previously assumed.
“If this can be demonstrated and confirmed in the laboratory, then the time to decrypt RSA-2048 could theoretically be reduced to two to three years,” she said, noting that advances in large-scale fault-tolerant systems will eventually also apply to elliptic curve cryptography.
Others urged caution.
Aerie Trouw, co-founder and chief technology officer of XYO, believes that “we are still very far away and there is no practical reason to panic.”
Frederic Fosco, co-founder of OP_NET, was more direct. Even if such machines emerge, “you can upgrade cryptography. That’s it. This is not a philosophical dilemma: This is an engineering problem with a known solution.”
In the end, it’s a question of governance, timing and philosophy, and whether the Bitcoin community can reach consensus before quantum computing becomes a realistic threat.
Freezing vulnerable coins would challenge Bitcoin’s claims of immutability. Allowing them to be swept would challenge their commitment to fairness.
